A honeypot field is a hidden form input invisible to human users but filled in by automated spam bots, allowing the server to identify and reject bot submissions.
Spam bots crawl the web looking for forms to fill out. They typically work by finding all input fields on a page and filling in every one with junk data. A honeypot exploits this behavior by adding an extra hidden field that legitimate users never see or interact with.
The hidden field is usually styled with CSS (display:none or positioned off-screen) so it's invisible to real visitors using a browser. When a form is submitted, the server checks whether the honeypot field contains any value. If it does, the submission is almost certainly from a bot and can be silently discarded.
Honeypots are popular because they require zero user interaction — unlike CAPTCHAs, which ask users to solve puzzles or click checkboxes. This makes honeypots completely invisible to legitimate users, preserving a smooth form experience while blocking the majority of basic bots.
However, sophisticated bots can detect honeypot fields by analyzing CSS visibility or field naming conventions. For this reason, honeypots are most effective when combined with other techniques like rate limiting, CAPTCHA services, or AI-based spam scoring. FormsList includes honeypot protection on all plans, combined with optional reCAPTCHA, Turnstile, or hCaptcha integration.
Add an input named 'website' with CSS display:none. Bots fill it in; humans never see it. If the field has a value on submission, reject it.
Position an input at left:-9999px so it's off-screen. Screen readers can be told to skip it with aria-hidden='true' for accessibility compliance.
Record the timestamp when the form loads. If the form is submitted in under 2 seconds (faster than any human could type), flag it as a bot submission.
Set up your form backend in under a minute. No server required, no complex configuration — just a simple endpoint for your forms.